DOD lacks clear chain of command for domestic cyber attacks

By Mark Pomerleau

Apr 05, 2016

Despite increased public interest and attention to cybersecurity, the Defense Department has not defined how it will support civilian authorities in the event of cyber attacks, according to a Government Accountability Office report.

Several federal agencies lend a hand during disasters, with the Department of Homeland Security designated as the lead agency. DOD’s responsibilities include supporting civilian law enforcement agencies, restoring public health and providing support for national special security events. Additionally, DOD can, when authorized, provide military forces such as National Guard, as well as civilian and contracting personnel.

Because it plays a crucial role in confronting cyber threats to critical infrastructure, the Defense Department must also be prepared to support civil authorities in cyberspace, GAO said.

However, GAO found DOD has not identified the roles or responsibilities that could be called upon in such a cyber incident. It is also unclear which combatant command would be designated to support civil authorities -- the Northern Command, which is responsible for the geographic region of the United States, or the U.S. Cyber Command, which is in charge of global cyber operations.

Additionally, DOD has not identified the role of the dual-status commander -- the commander who has authority over both federal military and National Guard forces -- when it comes to supporting civil authorities in cyber incidents, GAO said.

When asked about the GAO report by senators in an appearance before the Senate Armed Services committee April 4, Cyber Command Commander Adm. Michael Rogers said that while he had not yet read the report, he is familiar with the issues it raised. “I’m always concerned about a clear chain of command and a clear articulation of responsibilities,” he said.

“U.S. Cyber Command and DOD writ large provide our cyber capabilities in the defense of critical infrastructure in the private sector in partnership and in support of DHS,” Rogers said.

However, “DOD is not resourced or tasked to defend every single computer in the U.S.,” he added. “DHS has overall responsibility in the federal government for the provision of government support to the private sector when it comes to cyber.”

At the Center for Strategic and International Studies in October, Rogers’ deputy at Cyber Command explained DOD’s role in critical infrastructure protection. DHS is the “primary part of the U.S. government that’s touching each of those critical infrastructure segments,” Lt General James “Kevin” McLaughlin said. “Our job really is trying to understand if we’re going to have responsive forces there … [and] how do we make sure that the people that are on those teams are trained and ready?”

GAO recommended that the Defense Department clarify how it will support government agencies in the event of a domestic cyber incident. A comprehensive plan for Cyber Command to support civil authorities in response to cyber attacks is due to Congress in May 2016, GAO noted.

About the Author

Mark Pomerleau is a former editorial fellow with GCN and Defense Systems.